BOSTON (05/08/2000) - IT executives moving to Windows 2000 are uncovering yet another set of standards-compliance problems, as they roll out the operating system and attempt to integrate it with servers that control critical network services.
The issues surround the Internet Engineering Task Force standard Domain Name System (DNS), which is used to locate computers on a network and is the underlying service on the Internet to match names, such as www.nwfusion. com, and IP addresses for locating Web sites and controlling e-mail delivery.
Microsoft Corp. has adopted a standardized variant of DNS in Win 2000, along with a set of extensions that some IT executives and experts say create an administrative burden and raise security questions when integrated with existing Unix-based DNS servers.
Win 2000 employs Dynamic DNS (DDNS) as the default mechanism to locate domain controllers and Active Directory, and to find computers and services. But DDNS, an Internet standard that lets machines automatically update DNS server records, isn't used by about 98% of the DNS servers currently deployed, according to some experts. IT administrators, weary of automatic updates to their Unix-based DNS servers, prefer manual updates so they can keep those servers under tight guard, even though DDNS can reduce IP address management.
Microsoft also chose to implement an IETF proposed standard for Dynamic Host Configuration Protocol (DHCP) - which automatically assigns IP addresses to machines and updates DNS servers - that makes it difficult for IT executives to integrate Win 2000 into their existing DNS infrastructures.
The company used a draft specification for securely updating DNS records that doesn't interoperate with de facto DNS software.
"It seems that Microsoft says it is standards-compliant, but some of its standards are draft documents or implementations that the rest of the industry has not caught up with," says one systems engineer for a large utility company on the East Coast who asked to remain anonymous. "Now we have to work around our DNS to accommodate what Microsoft is doing and that means more work for us."
Some say the administrative burden and issues around secure updates are the real concerns.
"The major problem is not technical, it's an administrative issue of who has control of DNS, Win 2000 or the Unix-based system that has been working for years," says Phil Cox, a consultant for SystemExperts in Sudbury, Massachusetts.
The majority of enterprise DNS servers today use public domain software called Berkeley Internet Name Domain (BIND). Cox says if users upgrade to BIND 8.2.2, and enable the IETF standard for DDNS and a draft specification for service records, they should not have integration problems with Win 2000.
But the upgrade from a static to dynamic environment is not trivial, and requires configuration and administration changes.
The biggest issue is security. Microsoft used an IETF draft specification to implement secure DNS updates. The draft specification is not supported in today's BIND DNS servers, which means Win 2000 can't send secure updates to those machines.
"The fact that BIND has to accept insecure updates is a major security issue," Cox says.
Another issue is Win 2000 service records, or SRVs, which are used to locate services such as Active Directory, Kerberos or file/print. The SRVs that Microsoft uses adhere to a proposed IETF standard that allows underscore characters ( _ ) in computer host names. Most current implementations of BIND support an established standard, but don't recognize the underscore. Therefore, the SRVs cause errors in BIND.
Microsoft is advising users to turn off error checking in BIND DNS servers to solve the problem.
"I prefer not to turn off error checking because without it, I can get other faulty records in my DNS, and that can cause problems," says the administrator for the East Coast utility.
Layers of confusion
Another integration issue involves DHCP. Microsoft has used part of an IETF draft called Option 81 to determine whether DHCP servers or Win 2000 clients will make updates to DNS servers. The updates are for addressing - called the "A" record - which map a host name to the IP address. The Pointer (PTR) record does the reverse.
"If your DHCP server does not support Option 81, then your DHCP and your Win 2000 client potentially could try to update the same DNS record," says Mike Dooley, vice president of engineering for Lucent IP Services Product Group.
Lucent Technologies Inc. has added support for Option 81 to its QIP Enterprise 5.0, a DHCP server, but most other DHCP servers have not. Without Option 81 in DHCP, Win 2000 clients bypass DHCP servers and update the records themselves.
With all the issues required to integrate Unix-based DNS and Win 2000, some users have chosen to isolate the Microsoft software.
"We will use Win 2000 on a subdomain with DDNS, but DDNS won't be used broadly," says Richard Jones, IT security coordinator for the University of Colorado at Boulder. "We won't run Microsoft DNS servers; Windows will get DNS services from Unix."
Given the hierarchy that DNS creates, experts say Jones' solution is a valid design and one that Microsoft even recommends.
Until some of the DNS integration issues are ironed out, users may be well advised to follow the example.